Mitigation of JavaScript-Based Fingerprinting Attacks Reliant on Client Data Generation

Authors

Presenter(s)

Nathan Joslin

Comments

Presentation: 10:40-11:00 a.m., Jessie Hathcock Hall 101

Files

Description

Although fingerprinting methods are currently used by fraud detection companies as a secondary form of identification, they can just as easily be used maliciously. By nature, fingerprinting reveals software and hardware information that malicious attackers may use to their advantage. Attackers with access to this sensitive information may target users running a software version known to have vulnerabilities, silently track a user’s activity across the web, or even reveal a user’s identity. Additionally, fingerprinting is silent and often done without the user knowing their fingerprint is being collected. As a result, it is nearly impossible for average users to opt out of or block fingerprinting attacks.In this thesis, we leverage the MyWebGuard browser extension developed by Phung et al. to enforce dynamic policies on web pages that engage in device fingerprinting. MyWebGuard implements an Inline Reference Monitor (IRM) to supervise the JavaScript operations carried out on web pages. Three types of JavaScript operations are monitored: method calls, object creation and access, and property access. When these operations are executed the IRM intercepts them, allowing for policy enforcement. As this policy enforcement mechanism monitors JavaScript operations, it is an excellent method to mitigate JavaScript-based fingerprinting. In this work, we will focus on monitoring dynamic fingerprinting methods that rely on generating unique data rather than collecting static attributes. As for the mitigation approach, we chose a randomization method rather than normalization or domain-based blocking. This “moving target” approach is intended to constantly change a given device’s fingerprint over time, making it increasingly difficult for malicious actors to track a device across the web. Further motivation behind this mitigation method is to limit major site breakage, a phenomenon common with current anti-fingerprinting technologies, while protecting user privacy.

Publication Date

4-19-2023

Project Designation

Honors Thesis

Primary Advisor

Phu Phung, Ahmed El Ouadrhiri

Primary Advisor's Department

Computer Science

Keywords

Stander Symposium, College of Arts and Sciences

Institutional Learning Goals

Scholarship; Vocation; Community

Recommended Citation

"Mitigation of JavaScript-Based Fingerprinting Attacks Reliant on Client Data Generation" (2023). Stander Symposium Projects. 2792.
https://ecommons.udayton.edu/stander_posters/2792